[Snort-devel] sfportscan generated packets always off by 14

Jon Hart warchild at ...1775...
Thu Dec 30 10:13:07 EST 2004


I just upgraded a sensor to 2.3.0RC2 today.  This is on OpenBSD 3.6
-current on x86, running with mostly default snort configs and rules.  I
use log_tcpdump and alert_syslog for my outputs.

Minutes after I restarted snort, I got the following in syslog:

snort: [122:3:0] (portscan) TCP Portsweep {RESERVED} ->

So I checked the relevant pcap (attached).  This pcap and all other
subsequent pcaps generated by sfportscan are always off by 14 bytes,
in this case meaning that the IP datagram said there were 14 more bytes
than were actually present.

A quick check of the source shows this, on line 322 of
src/preprocessors/spp_sfportscan.c in MakePortscanPkt():

	unsigned int   total_size = ETHERNET_HEADER_LEN;

total_size is used later to set the IP datagram length, but the IP
datagram length should be the IP header length plus the payload length,
which will in turn include the appropriate numbers from all higher
layers.  Lower layers, in this case ethernet, should not be included in
this calculation.  From the looks of things, the easiest fix would be to
set total_size to 0 at the start instead of ETHERNET_HEADER_LEN.  I
haven't tested this, but it seems pretty straight forward.

Not a huge deal because finding broken IP protocol 255 packets is pretty
easy, but having incorrect lengths may cause bugs elsewhere.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: offby14.pcap
Type: application/octet-stream
Size: 216 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20041230/c0aad98e/attachment.obj>

More information about the Snort-devel mailing list